[JIRA] (JENKINS-55624) Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

themikenicholson@gmail.com (JIRA)

unread,

Jan 16, 2019, 11:02:02 AM1/16/19

to jenkinsc...@googlegroups.com

Mike Nicholson created an issue

Jenkins /

JENKINS-55624

Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

Issue Type:	Bug
Assignee:	ikedam
Attachments:	run_as_specific_user.png, run_as_user_who_triggered.png
Components:	authorize-project-plugin
Created:	2019-01-16 16:01
Environment:	Jenkins ver 2.157, running in a container Authorize Project 1.3.0 Credentials Plugin 2.1.18 Git Client 2.7.4
Priority:	Minor
Reporter:	Mike Nicholson

When attempting to configure source control for a freestyle job with the Build Authorization Strategy set to 'Run as Specific User', I don't see any available git credentials.

I have credentials installed and they appear when I set Build Authorization Strategy to "Run as User who Triggered Build". See attached images.

However, if I set the Build Authorization Strategy to "Run as User who Triggered", configure my job with the proper credentials and then switch to "Run as specific user", everything works, but when I go to configure the job the git credentials section of the config page displays the error that the currently configured credentials cannot be found. This is an ugly workaround but it does let my job run as desired.

Steps to Reproduce:

Install Authorize Project
Configure Global Security > Access Control for Builds and to allow Per-project configurable build authorization with the "Run as Specific User" and "Run as User who Triggered Build" strategies.
Add another user to the local jenkins user database.
Create a new freestyle project.
Enable git source control and add some credentials and select those. Save the project.
Enable "Configure Build Authorization" and set the strategy to "Run as Specific User". Set this to the new user you added (in my case this was not the same as my currently logged in user but testing showed that it didn't make a difference what user I entered)
Go back to the Configure page for the job. Observe that no credentials can be found according to the error on the Git SCM section of the page and no credentials appear in the drop down menu.
Switch the projects authorization strategy to "Run as user who Triggered Build"
Go back to the Configuration page for the job. Observe that the credentials appear valid and all available credentials appear.

Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

devld@ikedam.jp (JIRA)

unread,

Jan 16, 2019, 3:58:03 PM1/16/19

to jenkinsc...@googlegroups.com

ikedam assigned an issue to Unassigned

That looks caused for the newly added user doesn’t have a permission to access that credentials. It sounds an expected behavior.

Anyway, this is an issue of credentials-plugin and I update the cemponent and the assignee.

Jenkins /

JENKINS-55624

Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

Change By:	ikedam
Component/s:	credentials-plugin
Component/s:	authorize-project-plugin
Assignee:	ikedam

Add Comment

info@das-peter.ch (JIRA)

unread,

Jun 11, 2019, 11:45:03 PM6/11/19

to jenkinsc...@googlegroups.com

Peter Philipp commented on

JENKINS-55624

Re: Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

Since Jenkins pushed the Build Authorization https://jenkins.io/doc/book/system-administration/security/build-authorization/ with the last update, we didn't want to dismiss this and added the plugin.

And we also started experiencing the same issue as described in the summary.
However, it seems like this is actually a git-plugin related issue because while the git plugin doesn't list the parent / global credentials, the docker plugin lists them properly. (I couldn't test if these credentials work yet or are just listed.)
I've also tried to tune the user permissions but no matter if the specified user has full or just limited permissions the parent credentials wont show up.

Checking the issue history of the git-plugin it seems like there has been quite a collection related issues e.g.:
https://issues.jenkins-ci.org/browse/JENKINS-38126?focusedCommentId=289182&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-289182
https://issues.jenkins-ci.org/browse/JENKINS-44773
Following issue also links to some other related issues: https://issues.jenkins-ci.org/browse/JENKINS-44774

Given all that I wonder if the bug report should be filed / merged with one of the git-plugin related issues.

As for now we switched back to using the SYSTEM user.

Add Comment

medianick@gmail.com (JIRA)

unread,

Jul 3, 2019, 10:24:04 AM7/3/19

to jenkinsc...@googlegroups.com

Nick Jones updated an issue

Jenkins /

JENKINS-55624

Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

Change By:	Nick Jones
Component/s:	git-plugin

Add Comment

medianick@gmail.com (JIRA)

unread,

Jul 3, 2019, 10:31:02 AM7/3/19

to jenkinsc...@googlegroups.com

Nick Jones commented on

JENKINS-55624

Re: Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

I see the same behavior, and it appears to be specific to Freestyle jobs using Git as an SCM; Mercurial and Subversion still present the full list of credentials to choose from. Accordingly, I've added git-plugin to the Component/s list here.

Also, creating a new user and adding credentials are not necessary as part of reproducing this. It is enough to have an existing Freestyle job that uses an existing "username with password" credential for the Git SCM configuration on the job. Simply switching the global build authorization strategy from "Run as SYSTEM" to "Run as Specific User" (and specifying a user, of course) causes the credentials list when configuring a job to be empty. Jobs that were already created (prior to this switch) will have a "- current ~~" option in the list, and will still build (i.e., checkout) properly, but new jobs will only have "~~ none -" and thus will fail.

Add Comment

medianick@gmail.com (JIRA)

unread,

Jul 3, 2019, 10:32:03 AM7/3/19

to jenkinsc...@googlegroups.com

Nick Jones edited a comment on

JENKINS-55624

Re: Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

I see the same behavior, and it appears to be specific to Freestyle jobs using Git as an SCM; Mercurial and Subversion still present the full list of credentials to choose from. Accordingly, I've added {{git-plugin}} to the Component/s list here.

Also, creating a new user and adding credentials are not necessary as part of reproducing this. It is enough to have an existing Freestyle job that uses an existing "username with password" credential for the Git SCM configuration on the job. Simply switching the global build authorization strategy from "Run as SYSTEM" to "Run as Specific User" (and specifying a user, of course) causes the credentials list when configuring a job to be empty. Jobs that were already created (prior to this switch) will have a "{{ - current - }}" option in the list, and will still build (i.e., checkout) properly, but new jobs will only have "{{ - none - }}" and thus will fail.

Add Comment

medianick@gmail.com (JIRA)

unread,

Jul 3, 2019, 10:32:03 AM7/3/19

to jenkinsc...@googlegroups.com

mymarche4@gmail.com (JIRA)

unread,

Jul 5, 2019, 9:50:03 AM7/5/19

to jenkinsc...@googlegroups.com

Mikhail Marchenko updated an issue

Jenkins /

JENKINS-55624

Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

Change By:	Mikhail Marchenko
Priority:	Minor Major

Add Comment

rene.scheibe@gmail.com (JIRA)

unread,

Aug 8, 2019, 12:32:03 PM8/8/19

to jenkinsc...@googlegroups.com

René Scheibe updated an issue

Jenkins /

JENKINS-55624

Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

Change By:	René Scheibe
Component/s:	authorize-project-plugin

Add Comment

rene.scheibe@gmail.com (JIRA)

unread,

Aug 8, 2019, 12:33:03 PM8/8/19

to jenkinsc...@googlegroups.com

René Scheibe updated an issue

Jenkins /

JENKINS-55624

Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

Change By:	René Scheibe

When attempting to configure source control for a freestyle job with the Build Authorization Strategy set to 'Run as Specific User', I don't see any available git credentials.

I have credentials installed and they appear when I set Build Authorization Strategy to "Run as User who Triggered Build". See attached images.

However, if I set the Build Authorization Strategy to "Run as User who Triggered", configure my job with the proper credentials and then switch to "Run as specific user", everything works, but when I go to configure the job the git credentials section of the config page displays the error that the currently configured credentials cannot be found. This is an ugly workaround but it does let my job run as desired.

Steps to Reproduce:

* Install Authorize Project
* Configure Global Security > Access Control for Builds and to allow Per-project configurable build authorization with the "Run as Specific User" and "Run as User who Triggered Build" strategies.
* Add another user to the local jenkins Jenkins user database.
* Create a new freestyle project.
* Enable git source control and add some credentials and select those. Save the project.
* Enable "Configure Build Authorization" and set the strategy to "Run as Specific User". Set this to the new user you added (in my case this was not the same as my currently logged in user but testing showed that it didn't make a difference what user I entered)
* Go back to the Configure page for the job. Observe that no credentials can be found according to the error on the Git SCM section of the page and no credentials appear in the drop down menu.
* Switch the projects authorization strategy to "Run as user who Triggered Build"
* Go back to the Configuration page for the job. Observe that the credentials appear valid and all available credentials appear.

Add Comment

devld@ikedam.jp (JIRA)

unread,

Aug 13, 2019, 12:27:06 AM8/13/19

to jenkinsc...@googlegroups.com

ikedam updated

JENKINS-55624

There're three underlying issues causing this issue:

Why this happens only for "Run as specific user" , not for other strategies like "Run as User who Triggered"?:
- Because credentials in configuration pages are not for the user of builds, but for the user of the job. Jenkins can say that the user of the job is "user1" when you are using "Run as specific user" with "user1" though Jenkins cannot decide the user of the job when you are using "Run as User who Triggered" as the user can be decided only after a build is actually triggered by someone. So "Run as User who Triggered" results configuration pages behave just as when no authorization strategy is set. And this issue is specific to "Run as specific user".
What is credentials for specific users?
- You can configure user-scoped credentials in the user page, which can open from the link over the user name in the right-up part of Jenkins web UI.
Why system global credentials are not displayed in the job configuration pages even when the user has Credentials/View permissions?
- It might be a bug of credentials plugin (I'm not so sure as I don't know much about the design of credentials-plugin). I created JENKINS-58902 and please watch that ticket.

Jenkins /

JENKINS-55624

Authorize Projects plugin causes no git credentials to be found with 'Run as Specific User' Strategy is set

Change By:	ikedam
Status:	Open Fixed but Unreleased
Assignee:	Mike Nicholson
Resolution:	Duplicate

Add Comment

Reply all

Reply to author

Forward